Just want to add that I use the same system, but I don’t run my DMG through App Wrapper, DMG Canvas seems to have it’s own signing thing, which is good enough for me. (Maybe not everyone though.)
And a good time to again sing praises for App Wrapper and Sam’s diligence.
Hi @Tim Jones - Sorry I wasn’t able to answer your question in time, and I am glad to hear that you’ve figured out the cause of the problem. Let me make a note of your procedure, as I might be able to find a way to make it easier to do.
I thought the way disk image notarization actually worked was that it notarized the apps within. I remember an issue where you couldn’t notarize a disk image with a license agreement because the disk image wouldn’t mount.
@Sam Rowlands could we get a refresher on this? I’d like to be sure I know how it works
Lol… I can’t say for sure. A lot of what I think I know is speculation based on little snippets here and there. Most of the internal stuff is undocumented and my attempts to get clarification on some things (from members within the team responsible) often don’t get answered.
It is my understanding that when an application is Notarized, a record is created on Apple’s servers (most likely using the UUID of the executables). Regardless of the compressed file format used. DMG & PKG have support for an embedded ticket. So does Xip, but Apple will only accept Xip files from Apple and this is not expected to change ever.
When you open the compressed file, the OS inspects the ticket and appends it to the machine’s local database. If the OS can’t find a ticket it checks online for one. In theory you don’t NEED to include a ticket with the archive, however given the totally unreliability of Apple’s services this year, I’d not recommend taking a chance.
I was thinking about this, recently I built an interrogation mechanism for DMG to find the main executable when adding a DMG files to App Wrapper’ Notarize window, that wasn’t auto added by App Wrapper. It’s possible I can adapt this mechanism to check the signatures on all the application bundles it finds, so then App Wrapper can alert you if the incorrect application is on the DMG.
As always, adding these kind of checks, will add more to do to the wrapping process and therefore will make wrapping take longer.